GDPR Compliance

Last updated: June 25, 2026

Our Commitment to Data Protection

canyon-labs is committed to protecting your personal data in accordance with the UK General Data Protection Regulation and Data Protection Act 2018. This page outlines our compliance measures and your rights under UK data protection law.

Data Controller Information

For the purposes of UK data protection law, the data controller is:

canyon-labs
142 Kingsland Road
London E2 8DY
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. The primary legal grounds we rely upon are:

• Legitimate Interests: Processing necessary for our legitimate business interests in responding to inquiries, providing services, and improving our offerings, provided such interests do not override your fundamental rights
• Contract Performance: Processing necessary to fulfill contractual obligations when engaging in development projects with clients
• Consent: Where you have given explicit consent for specific processing activities, such as marketing communications
• Legal Obligation: Processing required to comply with legal or regulatory requirements

Data Subject Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right of Access

You may request confirmation of whether we process your personal data and obtain a copy of such data along with supplementary information about the processing.

Right to Rectification

You may request correction of inaccurate personal data and completion of incomplete data.

Right to Erasure

You may request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purposes collected, where you withdraw consent, or where you object to processing and no overriding legitimate grounds exist.

Right to Restriction

You may request that we restrict processing of your personal data in specific situations, such as while we verify the accuracy of contested data.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used format and transmit it to another controller.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease such processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not currently engage in such automated decision-making.

Exercising Your Rights

To exercise any of these rights, please contact us using the details provided above. We will respond to requests without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

We may require verification of your identity before processing requests. No fee is charged for reasonable requests, though we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

Data Protection Principles

We process personal data in accordance with the following principles:

• Lawfulness, fairness, and transparency in all processing activities
• Purpose limitation, collecting data only for specified, explicit, and legitimate purposes
• Data minimization, ensuring data collected is adequate, relevant, and limited to what is necessary
• Accuracy, taking reasonable steps to ensure personal data is accurate and kept up to date
• Storage limitation, retaining data only as long as necessary for stated purposes
• Integrity and confidentiality, implementing appropriate security measures
• Accountability, demonstrating compliance with these principles

International Data Transfers

We primarily process and store data within the United Kingdom. Where data must be transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK authorities or transfers to countries with adequacy decisions.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay. Breaches posing high risk will be reported to affected individuals within 72 hours of becoming aware of the breach. We maintain documented procedures for detecting, reporting, and investigating breaches.

Data Protection Impact Assessments

Where processing operations are likely to result in high risk to individual rights, we conduct Data Protection Impact Assessments to identify and mitigate such risks prior to commencing processing.

Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority if you believe our processing of your personal data violates data protection law. In the United Kingdom, the supervisory authority is:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated through prominent notice on our website.